permissions/permissions.spec

521 lines
19 KiB
RPMSpec

#
# spec file for package permissions (Version 2008.11.7)
#
# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
# norootforbuild
Name: permissions
License: GPL v2 or later
Group: Productivity/Security
AutoReqProv: on
Version: 2008.11.7
Release: 1
Provides: aaa_base:/etc/permissions
Requires: /sbin/SuSEconfig
PreReq: %fillup_prereq
Summary: SUSE Linux Default Permissions
#Source: permissions.tar.bz2
Source1: SuSEconfig.permissions
Source2: chkstat.c
Source3: chkstat.8
Source4: sysconfig.security
Source5: permissions
Source6: permissions.easy
Source7: permissions.paranoid
Source8: permissions.secure
Source9: permissions.local
Source99: checkpermissionfiles.pl
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
This package contains specifications for permissions of specific files,
directories, and devices depending on the local security settings. The
local security setting (easy, secure, or paranoid) can be configured in
/etc/sysconfig/security.
Authors:
--------
Werner Fink <werner@suse.de>
Roman Drahtmüller <draht@suse.de>
%prep
%build
gcc -Wall $RPM_OPT_FLAGS %{SOURCE2} -o chkstat
%install
mkdir -p $RPM_BUILD_ROOT/etc
mkdir -p $RPM_BUILD_ROOT%{_bindir}
mkdir -p $RPM_BUILD_ROOT/%{_mandir}/man8
mkdir -p $RPM_BUILD_ROOT/sbin/conf.d
mkdir -p $RPM_BUILD_ROOT/var/adm/fillup-templates
install -m 755 chkstat $RPM_BUILD_ROOT%{_bindir}
install -m 755 %{SOURCE1} $RPM_BUILD_ROOT/sbin/conf.d
install -m 644 %{SOURCE3} $RPM_BUILD_ROOT/%{_mandir}/man8
install -m 644 %{SOURCE4} $RPM_BUILD_ROOT/var/adm/fillup-templates
install -m 644 %{SOURCE5} $RPM_BUILD_ROOT/etc
install -m 644 %{SOURCE6} $RPM_BUILD_ROOT/etc
install -m 644 %{SOURCE7} $RPM_BUILD_ROOT/etc
install -m 644 %{SOURCE8} $RPM_BUILD_ROOT/etc
install -m 644 %{SOURCE9} $RPM_BUILD_ROOT/etc
%post
%{fillup_only -n security}
%files
%defattr(-,root,root,-)
/etc/permissions
/etc/permissions.easy
/etc/permissions.secure
/etc/permissions.paranoid
%config(noreplace) /etc/permissions.local
%{_bindir}/chkstat
%{_mandir}/man8/chkstat.8*
/sbin/conf.d/SuSEconfig.permissions
/var/adm/fillup-templates/sysconfig.security
%changelog
* Fri Nov 07 2008 lnussel@suse.de
- add newrole from policycoreutils (bnc#440596)
* Thu Oct 23 2008 lnussel@suse.de
- add udev device files (bnc#438039)
- add system crash dump directory (bnc#438041)
- add bind chroot devices (bnc#438045)
* Mon Oct 20 2008 lnussel@suse.de
- dbus-daemon-launch-helper neeeds to be setuid in level secure
(bnc#435776)
* Thu Sep 25 2008 lnussel@suse.de
- change /var/games to 755 to prevent ill-considered maneuvers there
(bnc#429882)
* Thu Sep 11 2008 lnussel@suse.de
- remove static smpppd config file permissions
- fix permissions of polkit-set-default-helper
- grant permissions to PolicyKit helpers also in level secure
* Tue Jul 15 2008 lnussel@suse.de
- ensure correct permissions on ssh files to avoid sshd refusing
logins (bnc#398250)
* Thu Jul 03 2008 lnussel@suse.de
- adapt permissions of lppasswd for current cups setup (bnc#406058)
* Mon Jun 02 2008 lnussel@suse.de
- add mount.nfs due to an ever increasing number of users
hit by the regression (bnc#331020, bnc#304318)
* Wed May 07 2008 lnussel@suse.de
- zypp-checkpatches-wrapper -> zypp-refresh-wrapper (bnc#385207)
* Mon Apr 21 2008 lnussel@suse.de
- /dev/full should be 0666 (bnc#379545)
* Thu Apr 17 2008 lnussel@suse.de
- update chkstat manpage and support '--' argument for chkstat
(bnc#57438)
* Wed Mar 12 2008 lnussel@suse.de
- new PolicyKit permissions (bnc#295341)
- remove obsolete entries for scmxx and zapping
* Mon Jan 07 2008 lnussel@suse.de
- remove setuid bits on man (#351988)
* Mon Dec 03 2007 lnussel@suse.de
- add dbus-daemon-launch-helper (#333361)
* Fri Nov 02 2007 dmueller@suse.de
- kcheckpass/kdesud moved to %%_libdir/kde4/libexec
* Wed Oct 17 2007 lnussel@suse.de
- remove bing (#306626)
* Fri Oct 12 2007 lnussel@suse.de
- remove suexec2 (#263789)
* Fri Aug 10 2007 aj@suse.de
- Readd nscd socket permissions, otherwise glibc build will fail.
* Fri Aug 10 2007 lnussel@suse.de
- add PolicyKit helpers (#295341)
* Wed Aug 08 2007 lnussel@suse.de
- remove nscd socket permission handling as chkstat refuses to touch
that file anyways (#298334).
* Tue Jun 12 2007 schwab@suse.de
- permissions.local: Fix comment to use uid:gid instead of uid.gid.
* Fri Jun 01 2007 lnussel@suse.de
- package /etc/permissions.local
* Wed May 30 2007 lnussel@suse.de
- add /usr/bin/kcheckpass and /usr/bin/kdesud (#276502)
* Wed Apr 18 2007 dmueller@suse.de
- create debuginfo package (#265667)
* Thu Feb 22 2007 lnussel@suse.de
- prefer package specific permissions files over central ones
(#246252)
* Thu Feb 22 2007 lnussel@suse.de
- add /opt/kde3/bin/start_kdeinit (#203535)
- remove entries for dropped packages OpenPBS and xtetris
* Wed Jan 17 2007 lnussel@suse.de
- make pam authentication helpers unix_chkpwd, unix2_chkpwd and
pam_auth setuid root instead of setgid shadow (#216816)
* Wed Jan 10 2007 sbrabec@suse.cz
- Prefix of /opt/gnome binaries changed to /usr.
- Removed gnome-stones.
* Mon Nov 13 2006 lnussel@suse.de
- remove khc_indexbuilder (#188192)
* Mon Oct 16 2006 lnussel@suse.de
- add zypp patch checking helper (#211286)
* Wed Aug 23 2006 lnussel@suse.de
- /usr/X11R6 -> /usr
- remove obsolete entries for xmris,pcmcia-cardinfo,geki2,vmware,nicimud
* Thu Aug 17 2006 cthiel@suse.de
- change paths for v4l-conf from /usr/X11R6/bin to /usr/bin
* Thu Jul 20 2006 sndirsch@suse.de
- Xorg moved from /usr/X11R6/bin to /usr/bin; fixes build of
xorg-x11-server package
* Tue Jun 27 2006 lnussel@suse.de
- remove setuid bit on gpg (#137562)
* Fri May 19 2006 lnussel@suse.de
- add get_printing_ticket in order to enable smb printing with
kerberos authentication (#177114)
* Wed May 17 2006 lnussel@suse.de
- add setuid bit to gnomesu-pam-backend in level secure (#175616)
* Thu Feb 23 2006 schwab@suse.de
- /usr/lib/ia32el/suid_libia32x.so renamed to suid_ia32x_loader.
* Wed Jan 25 2006 mls@suse.de
- converted neededforbuild to BuildRequires
* Mon Jan 16 2006 meissner@suse.de
- removed pmount, pumount.
- moved pmpost to /usr/lib/pcp/pmpost.
* Thu Dec 15 2005 lnussel@suse.de
- /opt/kde3/bin/fileshareset -> /usr/bin/fileshareset
* Fri Dec 09 2005 meissner@suse.de
- temporary only setuid bit for pmount and pumount. #135792
* Wed Nov 23 2005 lnussel@suse.de
- add /usr/bin/fusermount (#133657)
* Mon Nov 21 2005 lnussel@suse.de
- remove Xwrapper, it's a symlink nowadays (#134611)
* Wed Nov 02 2005 dmueller@suse.de
- don't build as root
* Thu Oct 13 2005 meissner@suse.de
- nici moved to /var/opt/novell/...
* Tue Oct 11 2005 meissner@suse.de
- Temporary added setuid binary from "nici" (Novell I? Crypto Interface),
bug #127545.
* Fri Sep 30 2005 lnussel@suse.de
- add slashes to several directories (#103186)
- change /var/games to games:games 775 again (#103186)
* Tue Aug 30 2005 lnussel@suse.de
- remove kpopup helper (#100132)
* Thu Aug 25 2005 lnussel@suse.de
- add /opt/gnome/sbin/change-passwd (#104993)
* Thu Aug 11 2005 lnussel@suse.de
- remove xmcd (#104040)
- add suexec2 from apache2 (#66304)
- add exim (#66306)
* Thu Aug 11 2005 lnussel@suse.de
- remove /opt/gnome/bin/iagno (#103844)
* Wed Aug 10 2005 lnussel@suse.de
- remove xbl (#103762)
- clean up bsd games list (#103785)
- remove score files as they are the same in all levels anyways
* Wed Aug 10 2005 lnussel@suse.de
- change /var/games{,/xsok} to root:root (#103186)
* Fri Aug 05 2005 lnussel@suse.de
- /usr/sbin/isdnctrl -> /sbin/isdnctrl (#100750)
* Tue Aug 02 2005 lnussel@suse.de
- remove kde games again. Turned out they don't work as intended.
* Tue Aug 02 2005 lnussel@suse.de
- cardctl -> pccardctl (#100120)
* Fri Jul 22 2005 lnussel@suse.de
- add setgid games to some kde games
* Wed Jun 08 2005 lnussel@suse.de
- use correct gnomesu-pam-backend path
* Tue Jun 07 2005 lnussel@suse.de
- add gnomesu-pam-backend (#75823)
- add lppasswd (#66305)
- make ntping 4750 root:trusted also in easy (#66211)
- add cl_status from heartbeat (#66310)
- remove unused /opt/gnome/sbin/change-passwd
* Mon May 16 2005 ro@suse.de
- added /opt/gnome/sbin/change-passwd
* Mon Apr 25 2005 lnussel@suse.de
- add OpenPBS permissions (#66320)
* Tue Mar 01 2005 lnussel@suse.de
- fix inn permissions (#67032)
- remove setuid bit from ziptool (#66191)
* Wed Feb 23 2005 lnussel@suse.de
- remove no longer existing files
- remove setuid plpnfsd (#66207)
- remove setuid bit from dga program
- change vmware permissions
- add /opt/kde3/bin/receivepopup (#66313)
- add /opt/kde3/bin/fileshareset (#66312)
- add /usr/bin/scmxx (#66309)
- add some missing mailman files (#66315)
- include perl script to perform some basic consistency checks
* Mon Jan 31 2005 meissner@suse.de
- backported security fix from SLES 9 branch. #43035
* Sat Jan 15 2005 schwab@suse.de
- Comment fixes.
* Mon Nov 22 2004 sndirsch@suse.de
- permissions.secure: set Xorg to 0711 (4711 before)
* Wed Nov 10 2004 ro@suse.de
- /var/cache/fonts to 1777 (as in tetex perms before)
* Mon Nov 08 2004 kukuk@suse.de
- Add nscd socket to permissions file
* Tue Sep 14 2004 ro@suse.de
- do not use rpm in SuSEconfig.permissions (#45252)
* Tue Sep 14 2004 ro@suse.de
- dropped check for perl in SuSEconfig.permissions (#45252)
* Wed May 26 2004 draht@suse.de
- /usr/lib/ia32el/suid_libia32x.so set to (6755,0755,0755) (#40234)
source code audit in progress (#40234) (thomas)
* Fri May 14 2004 ro@suse.de
- /usr/lib/ia32el/suid_libia32x.so added to easy,secure,paranoid
(0755,0755,0755) (#40234)
* Thu Apr 15 2004 sndirsch@suse.de
- XFree86 --> Xorg in permissions files
* Tue Apr 06 2004 mls@suse.de
- added --root option for buildroot operation
* Mon Apr 05 2004 mls@suse.de
- chkstat: fixed relative symlink chasing
- /usr/src/packages/RPMS back to 1777 in easy, as chkstat can
now handle it
* Sun Apr 04 2004 mls@suse.de
- chkstat: added missing link count check and safepath() function
- chkstat: refuse to give away s-bits on insecure paths
- chkstat: bugfix: stat file again after chown, as modes may have
changed
* Fri Apr 02 2004 mls@suse.de
- chkstat: re-implemented it in C to make it more secure
* Thu Apr 01 2004 kukuk@suse.de
- Remove /var/lock/subsys [#37759]
- Add sticky bit to /var/lock [#37759]
* Wed Mar 24 2004 draht@suse.de
- make /usr/bin/gpg setuid root in easy+secure, 0755 in paranoid.
[#33570].
* Tue Mar 23 2004 draht@suse.de
- #36741: /usr/src/packages/RPMS 1777->0755 in easy.
* Mon Mar 22 2004 kukuk@suse.de
- Fix syntax error in permission.easy
- /usr/bin/ssh should be always 0755
* Fri Feb 13 2004 draht@suse.de
- /var/run/uscreens (root:root 1777) added
* Thu Feb 12 2004 kukuk@suse.de
- Don't modify group of crontab and at useless
* Fri Jan 09 2004 kukuk@suse.de
- Add RPM directory for hppa2.0
* Fri Nov 21 2003 ro@suse.de
- fpexec decrease go rights to 11
* Wed Nov 05 2003 ro@suse.de
- inn scripts: u-w (not needed)
* Mon Nov 03 2003 schwab@suse.de
- chkstat: fix option parsing.
* Wed Oct 29 2003 kukuk@suse.de
- Sync permissions for shadow package
* Tue Oct 28 2003 ro@suse.de
- require /sbin/SuSEconfig
* Tue Oct 28 2003 ro@suse.de
- chkstat: added some new extensions:
allow specifying singular files or a filelist to be checked
output previous/current mode of a failed file
adapted manpage
* Tue Oct 21 2003 draht@suse.de
- permissions.secure: /etc/ftpusers 0640 root.root -> 0644
* Mon Oct 20 2003 ro@suse.de
- permissions.*: use ":" and not "." to separate user/group
- chkstat: output also which of (permissions/owner) is wrong
- chkstat: don't try to chown if not root
* Tue Oct 14 2003 draht@suse.de
- reformatting of all 4 permissions files. xkobo, rocksndiamonds,
xlogical, lbreakout2 and ltris path adoptions.
for future reference: :-)
for i in permissions permissions.easy permissions.secure
permissions.paranoid; do cat $i | \
awk '/^(#|$)/ { print $0; next; }
{ if(NF > 3) {printf("error: %%s\n",$0);exit};
printf("%%-55s %%-17s %%4s\n",$1,$2,$3)}' \
> $i.. && mv $i.. $i; done
* Thu Sep 18 2003 kukuk@suse.de
- Fix group of straps, popauth and ntping
- Remove some GNOME games which do not need special rights anymore
* Tue Sep 16 2003 kukuk@suse.de
- permissions.easy: change group of bing, vboxbeep, plpnfsd to
trusted, majordomo/wrapper to daemon
* Tue Sep 16 2003 kukuk@suse.de
- permissions.easy: change group of gpasswd and ziptool to trusted
* Tue Sep 02 2003 kkeil@suse.de
- fix user fax for hylafax specific files
* Tue Sep 02 2003 kukuk@suse.de
- fix path to cons.saver, remove setuid bit in paranoid (#25907)
- remove screen
- remove smail (dropped years ago)
* Mon Sep 01 2003 kkeil@suse.de
- fix group for isdnctrl uucp --> dialout (#28997)
* Mon Sep 01 2003 draht@suse.de
- feedback@suse.de -> http://www.suse.de/feedback in all files of
the package. #29635.
* Sat Aug 23 2003 sndirsch@suse.de
- added martian entries of package pachi
* Tue Aug 19 2003 mmj@suse.de
- Add sysconfig metadata [#28937]
* Tue Jul 29 2003 draht@suse.de
- fax changes from Tomas Crhak: faxq-helper and spool directories.
* Tue Jul 29 2003 ro@suse.de
- gnome games moved back to /opt/gnome
* Mon Jul 28 2003 kukuk@suse.de
- Remove /var/run from permissions file list [Bug #28289]
* Mon Jul 28 2003 kukuk@suse.de
- /var/lib/gdm: Removed to solve [Bug #28257] for future products.
* Fri Jul 25 2003 draht@suse.de
- /usr/lib/vte/gnome-pty-helper -> /opt/gnome/lib/vte/gnome-pty-helper
The same with /opt/gnome/lib64/.
* Fri Jun 13 2003 kukuk@suse.de
- /usr/lib/mgetty+sendfax/faxq-helper added 4711 in easy and secure
* Fri May 02 2003 sndirsch@suse.de
- added /usr/games/pachi and /var/games/pachi.scores
* Mon Mar 10 2003 sndirsch@suse.de
- added /usr/games/falconseye.bin
- removed /usr/games/falconseye
* Mon Mar 10 2003 kukuk@suse.de
- added /usr/lib64/vte/gnome-pty-helper until ported to utempter
* Sun Mar 09 2003 sndirsch@suse.de
- added /usr/games/falconseye
- removed old falconseye entries
* Thu Mar 06 2003 ro@suse.de
- added /usr/lib/vte/gnome-pty-helper until ported to utempter
* Thu Feb 20 2003 mmj@suse.de
- Add sysconfig metadata [#22686]
* Tue Feb 18 2003 kssingvo@suse.de
- removed squid entries. They will be added and corrected to squids own
permission file /etc/permissions.d/squid (bugzilla#23752):
/var/squid
/var/squid/cache
/var/squid/logs
* Tue Feb 18 2003 draht@suse.de
- /usr/games/trackballs added 2755 games.games in easy.
* Sun Feb 16 2003 adrian@suse.de
- allow khc_indexbuilder to write into /var/cache/susehelp in easy mode
- remove old entries (kreatecd and kscd)
* Mon Feb 10 2003 draht@suse.de
- additions/changes (from #17012, Tobias Burnus):
* read all files from the commandline at once and override
entries given multiple times by the last entry
* enable option --set in addition to -set
* manpage adoptions
* call chkstat only once from SuSEconfig.permissions
* Thu Feb 06 2003 ro@suse.de
- /var/mtrack -> /var/lib/mtrack
* Tue Nov 19 2002 ro@suse.de
- zapping_setup_fb moved to /opt/gnome/sbin
* Thu Nov 14 2002 bg@suse.de
- added hppa to rpm subsystem in permissions files to be able to
finish autobuild
* Thu Oct 24 2002 ro@suse.de
- two more nethack flavors with sgid games in easy
* Tue Sep 10 2002 draht@suse.de
- cda entries below /usr/X11R6/lib/X11/xmcd removed.
index.html under /var/lib/xmcd/discog directories added
world-writeable. This is not satisfactory. New user xmcd will be
added in next release.
* Thu Sep 05 2002 draht@suse.de
- /usr/X11R6/lib/X11/xmcd/bin-Linux-ia64/{cda,xmcd} added.
* Mon Aug 26 2002 draht@suse.de
- removed all occurrences of kv4lsetup upon request by adrian+uli.
- -s for xlock, xlock-mesa + xscreensaver (#18125), (#18132)
- /usr/src/packages/RPMS/alphaev67 added.
- added /sbin/unix2_chkpwd root.shadow 2755
- -s /usr/sbin/papd (#18103)
* Wed Aug 21 2002 draht@suse.de
- removed suid bits from heimdal's su and otp (#18104)
* Wed Aug 21 2002 draht@suse.de
- remove setuid bit from traceroute due to new implementation by
Olaf Kirch which doesn't need euid root. (#18101)
* Wed Aug 21 2002 draht@suse.de
- removed lprng entries because of conflicts cups <-> lprng
* Wed Aug 21 2002 draht@suse.de
- vboxbeep -> 0755 in secure.
* Mon Aug 19 2002 ro@suse.de
- added prereq (#17956)
* Mon Aug 19 2002 uli@suse.de
- added nethack for lib64 archs
* Mon Aug 19 2002 uli@suse.de
- added xmcd for archs != i386
* Tue Aug 13 2002 draht@suse.de
- gnome-games2 entries changed/adopted to /opt/gnome2 path.
* Tue Aug 13 2002 draht@suse.de
- changed kcheckpass from 2755 root.shadow to 4755. (#17664)
* Wed Jul 31 2002 olh@suse.de
- ncpmount, ncpumount, nwsfind, ncplogin, ncpmap root.trusted 4750
* Sat Jul 27 2002 kukuk@suse.de
- Rename group wwwadmin to www
- Rename group game to games
* Tue Jul 23 2002 draht@suse.de
- added sapdb files, not setuid root in secure,paranoid.
* Mon Jul 22 2002 draht@suse.de
- added frontpage files
* Tue Jul 16 2002 draht@suse.de
- changed entries for mailman: group mdom -> mailman
* Tue Jul 16 2002 draht@suse.de
- mailman sgid mdom files added to easy, secure and paranoid.
* Wed Jul 10 2002 draht@suse.de
- .paranoid comment fixed about at and cron (#12159)
* Mon Jul 08 2002 draht@suse.de
- ppp dialup networking fixes and cleanup.
* Mon Jul 08 2002 draht@suse.de
- modifications: -s for pppd, world-writeable directories for
kdemultimedia3-sound, gift, mips and armv4l RPMS directory.
* Fri Jul 05 2002 kukuk@suse.de
- Add /usr/src/packages/RPMS/sparcv9 to easy,secure,paranoid.
* Thu Jul 04 2002 draht@suse.de
- /usr/lib64/pt_chown added to easy,secure,paranoid.
* Mon Jul 01 2002 draht@suse.de
- entries for packages added or changed:
squid
geki2
d1x
falconseye
fdutils
gewels
gnome-games
heimdal
lbreakout
lpdfilter
lprng
man
mgetty (/var/spool/fax/outgoing/* need discussion)
mtrack (locfile+satfile -> 0644)
nethack
nvi-m17n (/var/preserve/vi.recover -> 1777)
opie (/bin -> /usr/bin)
pcp
plptools
qpopper
rp-pppoe (/usr/sbin/pppoe-wrapper)
smpppd (/usr/sbin/cinternet-wwwrun wwwrun.dialout 2750)
squid (/usr/sbin/pam_auth)
su-wrapper
xemacs (lock directory changed again? now /var/state/xemacs and /var/lib/xemacs)
xgalaga
xmcd
xscrabble
* Mon Jul 01 2002 ro@suse.de
- don't install all sources (spec file etc.)
* Fri Jun 28 2002 draht@suse.de
- minor spec file change
* Fri Jun 28 2002 draht@suse.de
- entries for packages added:
ftpdir
gnokii
kamplus
geki2
aaa_dir (/tmp/.ICE-unix)
* Fri Jun 28 2002 draht@suse.de
- unpack tar archive in source for convenience.
* Thu Jun 27 2002 olh@suse.de
- update permissions of /usr/src/packages/RPMS/<arch>
* Fri Jun 21 2002 ro@suse.de
- created package as split off from aaa_base